Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had never been authorised before in America.

Not only did the cops seize various US-based Command and Control (C&C) servers belonging the Coreflood botnet, but they also redirected all traffic intended for those servers to a surrogate server under their own control.

When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.

What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren’t being investigated, or charged with any crime.

The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI’s Temporary Restraining Order puts it, Coreflood sets out:

to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorised interception of electronic communications in violation of Title 18, United States Code, Section 2511.

But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else’s computer without their explicit permission.

This may sound like a petty objection – and perhaps, in the real world, it is – but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the “stop” command to carry out a “format hard drive” operation instead?

Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.

The new court application shows that the original two-week intervention had a measurable effect, documenting graphically the decrease in US-based PCs which tried to connect to the FBI’s surrogate C&C server:

The cops also compared the relative drop in Coreflood activity in the US and overseas. Sending “stop” commands to the infected PCs was noticeably more effective than simply cutting those PCs off from the C&C servers:

The big difference in the new court application is that the FBI is now asking to be allowed to uninstall Coreflood from infected PCs, not just to stop the bot process temporarily.

The FBI says it will only attempt this sort of automatic remote disinfection on “infected computers of identifiable victims who have provided written consent to do so.” This should keep the EFF happy, but it won’t be half as effective as blindly going ahead with automatic disinfection, without waiting for an exchange of written agreements.

Of course, even court-sanctioned auto-cleanup wouldn’t solve the real problem. Hundreds of thousands of users in the US (and many more than that overseas) have allowed themselves to get and to remain infected by malware which is comparatively easy to detect, remove and prevent.

As the FBI’s court application wryly notes in conclusion:

While the use of an "uninstall" command to remove Coreflood cannot be considered a replacement for the use of properly configured and updated anti-virus software, removing Coreflood from infected computers will at least serve to eliminate a known threat to that victim’s privacy and financial security.

These infected PCs actually pose a known threat not only to the victims, but also to the internet as a whole, and they advertise their infection by openly calling home to the C&C servers.

So, perhaps the FBI should have applied for permission to go at the problem in a much more gung-ho fashion, without the written permission clause?

Post navigation

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Follow him on Twitter: @duckblog

20 comments on “FBI takes on Coreflood botnet – but is this a step too far?”

That then creates another problem. Users won't be able to download and install antivirus/antimalware programs or even update them. They'll have to go to another computer and download the programs on a USB stick or burn it to a CD.

I suppose you could also buy the AV software @ Walmart, Best Buy, etc but if that AV fails to remove the botnet then you have lost the money you paid for it b/c opened software can not be returned for a refund.

And we ALL know how many people in the US are not good enough with computers to achieve this. Obtaining good security software is a challenge for them because they don't know which is the right one to choose, all AVs don't detect every infection (in this case I bet some of the major AVs don't even detect this damn botnet) or it could lead to the worst side effect. Which is the user mistakenly installing a fake AV program while searching for a good AV program or purchasing a subscription to one of the real AV companies but that AV ends up not removing the botnet because it can't detect it (aka a waste of $80 since I don't think the AV industry is in the habit of giving back refunds and now you have to find another AV that CAN remove the botnet).

Most antivirus companies offer a free 60 day trial of their software, which
can be used to remove an infection. If one company's software doesn't
work, then another one can be tried. The end-user would only be out the
time involved installing and uninstalling programs and temporary charge
to their credit card account, which can be refunded at every stage in the
case of downloaded software.

This seems like a reasonable resolution to the problem, and privacy is
maintained by computer owners to the extent practical, and not in gov-
ernment hands either.

problem i found is those trials will detect viruses but if you want to actually remove a detected virus you get directed to a buy it page where you have to pay first — really helps if one of those viruses is set to steal your credit card info as you enter it just to try to remove the virus

My favorite category is not there. The FBI Programmers cannot be trusted to be "as good as" the "crackers" in every case. However, an Open Source group established to do this will be. I would be intrigued by the very nature of the "Open Source Cracker Bashers" and the data-base established of the people who look at the "Open Source" code.

Most "Crackers" appear to be children and non-Computer Whizkids who work with one of the prepackaged codesets out on the net. Those should be attacked as fast as you can AND the young perpetrators should have their pee-pees whacked, publicly so the practice loses its glamor. (You don't want them to reproduce if they are untrainable.) I don't advocate putting them in the legal system, but I would make sure they had a mentor when they coded (for awhile.)

If the government has the money to hire these programmers, the programmers should be working to take the Power, Water, Trucking, Railroad, & Sewage systems OFF THE NET.

The FBI informs the computer owner that their computer is unwittingly hosting illegal software and that they have a time period (two weeks?) after which time the FBI will take further action such as disinfection of the computer.

This would convert the computer owner to a knowledgeable state where if they continued knowingly running software that was actively harming other computers they would be knowingly committing some kind of crime. This would give the FBI et al access to a much greater range of remedies. This may work internationally too albeit in a limited way.

Hopefully a letter like this would cause most users/owners to take action.

The letter would also have a nice bit with lots of information on how to effect a clean up along with free anti virus installation. Also it should mention a list of companies that would do the work for a discount fee.

I agree with the idea of notification warning PC owners of the infection on their PC but would add temporarily blocking the malware as well as offering free or discounted virus protection. If the FBI is going to get involved with cleaning up the internet then the only true way to reduce threats to financial and personal information is to offer on going protection as well. I pay about $80 a year for my current anti virus program. I would not mind paying the same or less to a government sponsored service that not only provides my PC with on going protection but also searches for infected machines as well.

Unfortunately, many scams pose as law enforcement notifying the user of an infection etc. And if the FBI actually started doing this, it would lend credence to the scams and cause even more confusion. Botnet control nodes are easily detected, ISPs could deny traffic to control nodes based on publicly maintained blacklists and at the same time maintain a database of infected client machines. The ISPs could contact the customers via their normal snailmail channels along with their statements perhaps.

Isn't this just a legal approach to something like the Welchia Worm? ( http://en.wikipedia.org/wiki/Welchia ) Which helped protect users against the infamous Blaster Worm. One of the problems with the internet is that anybody can use it – whether they're intelligent enough to user protective software or not!

The problem with Nachi and other "set a virus to catch a virus" viruses is that they're viruses.They spread automatically, breaking into and infecting other PCs without permission (and regardless of jurisdication) and then spread onwards from those PCs to the next lot, and so on. So there is a huge problem of control – previously uninfected (albeit unpatched and vulnerable systems) become infected. If there's a bug in the virus, how do you fix it? How do you call it back?

The FBI proposal is very different. PCs which are already reaching out to a specific server for instructions – PCs which are already infected – are being given alternative instructions by order of a court. The FBI isn't trying to break into those PCs, but merely taking advantage of the fact that the PC has already "asked for" some instructions to follow.

The FBI isn't trying to break into PCs which might be at risk of Coreflood but aren't yet infected. Nor are they instructing already infected PCs to go looking for other parts of the bot network to break into in turn.

I have absolutely no problem with this other than the caveat that the FBI Programmers are probably not good enough to write the code to clean the captured machines. And I do believe that they should “clean” the infection off the machines that are “phoning in.” Since they are in a position to replace the server I would also expect huge Press Releases and very Public Trials and a Guantanamo-like prison with Joe Arapaio in charge and pink shorts in the middle of the desert. But it does no good to have a long sentence, the big thing is to utterly emasculate their User Name and Nicknames and Reputation.

1) I do not want the FBI to have a "per-user granularity" with their tools. If they can block me, they can block everybody they think is like me,

3) The FBI should NEVER be big enough to audit 300 million users. They should never be allowed to inform a User that his machine is "Infected." The biggest problem right now is the million and a half Websites that tell you that your machine is infected and that they have the cure…

4) As I said above, I don't believe we have enough people capable of writing that anti-cracker stuff. I haven't heard from Gene in years, I suspect he has gone "behind the fence."

The second (third?) point is a tricky one. The Dutch police recently did remote mitigation of the Bredo bot – they uploaded a program to infected PCs which called home, and the program gave them a warning and a link to helpful instructions. Of course – as you suggest – this is just the sort of thing that 1,500,000 websites will popup to warn you, only to whisk you off to a Fake Anti-Virus page. How are users to tell the difference?

On the other hand, are we to shy away from warning users that they have malware just because there are lots of fake warnings popping up?

(The simple answer to the "warning problem" is for the courts to authorise silent and automatic cleanup so no warning even appears. But whether or not unannounced cleanup is OK is the issue we're voting on in the poll 🙂

A) block the computer from accessing the net. You can have it go to a particular web page or pop up a note explaining why. Odds are people will disregard that as some sort of scam though. A physical mailer could be sent second – but then there's the issue of privacy… and again, they could think it's junk mail. As a result, I think it'd be best for their service provider to be notified and the provider to reach out to the customer explaining why they won't be able to access the internet until their computer is cleaned and walking them through the steps on how to do that…

B) I'd rather them clear it without consent then sit there waiting for infected users to approve the action while they can still be on the net. If people were going to their houses and taking their computers – that'd be crossing the line. Pushing something to thier computer to make it safe is smart – and protects others from the infected user's neglect… in a way – it's protecting them from themselves… and others from them.

If I had a dime for every Nigerian scam email I have received that purports to be from the FBI or such like, I would never need to work another day in my life. How often have you routinely deleted these, usually without opening them? In the absence of an easy way for users to realize right off that any notification on the Coreflood is legitimate and won’t land you in some pop-up hell, the attempt is unlikely to be successful.

My feelings about letting the FBI automatically clean users’ computers with or without permission are definitely mixed. From the standpoint of preventing identity theft and the fact that many users don’t have the brains to scan their own computers on a regular basis, it seems to make a lot of sense. On the other hand, I am deeply disturbed by the extent to which our electronic communications are able to be, and are, monitored without probable cause, initially to seek out supposed “terrorists” and increasingly people engaged in all manner of political activism. There is a “big brother” quality to all of this that the EFF has good reason to be queasy about.

Paul Ducklin’s point in the comments — that ‘PCs which are already reaching out to a specific server for instructions – PCs which are already infected – are being given alternative instructions by order of a court. The FBI isn’t trying to break into those PCs, but merely taking advantage of the fact that the PC has already “asked for” some instructions to follow’ — is a valid one. I would not be inclined to object to having the FBI uninstall the malware AS LONG AS no other information is obtained from the users’ computers or their ISPs. This would obviate any attempt to send personalized notifications.

It is a must that whatever is decided upon be done in as open and transparent a manner as possible without giving hackers enough information to circumvent it.

I have no problem with them remotely executing and removing coreflood without a user’s permission. Face it, if threats such as this are to be eliminated, this is the only way, and if you told someone they had a high level infection that was stealing all of their data and putting them at risk financially, how many would refuse if you offered to fix it for free?

If we are going to clean up the internet, it isn’t going to happen by the users. We’ve learned that much already.